CVE-2026-52815 | Gogs is an open source self-hosted Git service. Prior to 0.1… | CVSS 5.5 MEDIUM

Description

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/org_team.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the reqToken() middleware, and the listTeams() handler performs no authentication check, exposing team IDs, names, descriptions, and permission levels to any unauthenticated caller. This vulnerability is fixed in 0.14.3.

Metadata

CVE ID: CVE-2026-52815
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:11 UTC
Published: 2026-06-24 20:01 UTC
Last updated: 2026-06-24 20:01 UTC
Primary CWE: CWE-200
CWE-200: Exposure of Sensitive Information to an Unauthorize…
Vendor / Product: gogs / gogs
Sources: cve.org · NVD

Severity & Metrics

5.5 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Affected products (1)

Vendor	Product	Platform	Versions
gogs	gogs	—	< 0.14.3

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.5	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

References (1)

https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56 https://github.com/gogs/gogs/security/advisories/GHSA-744x-3838-5r56